security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-25 15:27:03 +01:00
Code Activity

* export.c (do_export_stream): Warn the user when exporting a secret key

Browse Source 
if it or any of its secret subkeys are protected with SHA1 while
simple_sk_checksum is set.

* parse-packet.c (parse_key): Show when the SHA1 protection is used in
--list-packets.

* options.h, build-packet.c (do_comment), g10.c (main): Rename
--no-comment as --sk-comments/--no-sk-comments (--no-comment still works)
and make the default be --no-sk-comments.
This commit is contained in:
David Shaw 2002-05-07 15:21:57 +00:00
parent 7d217ecd7a
commit d5d974536e
6 changed files with 67 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
g10/ChangeLog
View File

@ -1,3 +1,16 @@
2002-05-07 David Shaw <dshaw@jabberwocky.com>
* export.c (do_export_stream): Warn the user when exporting a
secret key if it or any of its secret subkeys are protected with
SHA1 while simple_sk_checksum is set.
* parse-packet.c (parse_key): Show when the SHA1 protection is
used in --list-packets.
* options.h, build-packet.c (do_comment), g10.c (main): Rename
--no-comment as --sk-comments/--no-sk-comments (--no-comment still
works) and make the default be --no-sk-comments.
2002-05-07 Werner Koch <wk@gnupg.org> 2002-05-07 Werner Koch <wk@gnupg.org>
* keygen.c (get_parameter_algo): Never allow generation of the * keygen.c (get_parameter_algo): Never allow generation of the
@ -8,7 +21,7 @@
2002-05-07 David Shaw <dshaw@jabberwocky.com> 2002-05-07 David Shaw <dshaw@jabberwocky.com>
* keyedit.c (sign_uids): If --expert it set, allow re-signing a * keyedit.c (sign_uids): If --expert is set, allow re-signing a
uid to promote a v3 self-sig to a v4 one. This essentially uid to promote a v3 self-sig to a v4 one. This essentially
deletes the old v3 self-sig and replaces it with a v4 one. deletes the old v3 self-sig and replaces it with a v4 one.

2
g10/build-packet.c
View File

@ -196,7 +196,7 @@ write_fake_data( IOBUF out, MPI a )
static int static int
do_comment( IOBUF out, int ctb, PKT_comment *rem ) do_comment( IOBUF out, int ctb, PKT_comment *rem )
{ {
if( !opt.no_comment ) { if( opt.sk_comments ) {
write_header(out, ctb, rem->len); write_header(out, ctb, rem->len);
if( iobuf_write( out, rem->data, rem->len ) ) if( iobuf_write( out, rem->data, rem->len ) )
return G10ERR_WRITE_FILE; return G10ERR_WRITE_FILE;

36
g10/export.c
View File

@ -152,6 +152,9 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
while (!(rc = keydb_search (kdbhd, desc, ndesc))) { while (!(rc = keydb_search (kdbhd, desc, ndesc))) {
int sha1_warned=0;
u32 sk_keyid[2];
if (!users) if (!users)
desc[0].mode = KEYDB_SEARCH_MODE_NEXT; desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
@ -172,23 +175,29 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
} }
} }
node=find_kbnode( keyblock, PKT_SECRET_KEY );
if(node)
{
PKT_secret_key *sk=node->pkt->pkt.secret_key;
keyid_from_sk(sk,sk_keyid);
/* we can't apply GNU mode 1001 on an unprotected key */ /* we can't apply GNU mode 1001 on an unprotected key */
if( secret == 2 if( secret == 2 && !sk->is_protected )
&& (node = find_kbnode( keyblock, PKT_SECRET_KEY ))
&& !node->pkt->pkt.secret_key->is_protected )
{ {
log_info(_("key %08lX: not protected - skipped\n"), log_info(_("key %08lX: not protected - skipped\n"),
(ulong)keyid_from_sk( node->pkt->pkt.secret_key, NULL) ); (ulong)sk_keyid[1]);
continue; continue;
} }
/* no v3 keys with GNU mode 1001 */ /* no v3 keys with GNU mode 1001 */
if( secret == 2 && node->pkt->pkt.secret_key->version == 3 ) if( secret == 2 && sk->version == 3 )
{ {
log_info(_("key %08lX: PGP 2.x style key - skipped\n"), log_info(_("key %08lX: PGP 2.x style key - skipped\n"),
(ulong)keyid_from_sk( node->pkt->pkt.secret_key, NULL) ); (ulong)sk_keyid[1]);
continue; continue;
} }
}
/* and write it */ /* and write it */
for( kbctx=NULL; (node = walk_kbnode( keyblock, &kbctx, 0 )); ) { for( kbctx=NULL; (node = walk_kbnode( keyblock, &kbctx, 0 )); ) {
@ -232,6 +241,21 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
node->pkt->pkt.secret_key->protect.s2k.mode = save_mode; node->pkt->pkt.secret_key->protect.s2k.mode = save_mode;
} }
else { else {
/* Warn the user if the secret key or any of the secret
subkeys are protected with SHA1 and we have
simple_sk_checksum set. */
if(!sha1_warned && opt.simple_sk_checksum &&
(node->pkt->pkttype==PKT_SECRET_KEY ||
node->pkt->pkttype==PKT_SECRET_SUBKEY) &&
node->pkt->pkt.secret_key->protect.sha1chk)
{
/* I hope this warning doesn't confuse people. */
log_info("Warning: secret key %08lX does not have a "
"simple SK checksum\n",(ulong)sk_keyid[1]);
sha1_warned=1;
}
rc = build_packet( out, node->pkt ); rc = build_packet( out, node->pkt );
} }

16
g10/g10.c
View File

@ -150,7 +150,8 @@ enum cmd_and_opt_values { aNull = 0,
#ifdef __riscos__ #ifdef __riscos__
oStatusFile, oStatusFile,
#endif /* __riscos__ */ #endif /* __riscos__ */
oNoComment, oSKComments,
oNoSKComments,
oNoVersion, oNoVersion,
oEmitVersion, oEmitVersion,
oCompletesNeeded, oCompletesNeeded,
@ -405,7 +406,9 @@ static ARGPARSE_OPTS opts[] = {
#ifdef __riscos__ #ifdef __riscos__
{ oStatusFile, "status-file" ,2, N_("|[file]|write status info to file") }, { oStatusFile, "status-file" ,2, N_("|[file]|write status info to file") },
#endif /* __riscos__ */ #endif /* __riscos__ */
{ oNoComment, "no-comment", 0, "@"}, { oNoSKComments, "no-comment", 0, "@"},
{ oNoSKComments, "no-sk-comments", 0, "@"},
{ oSKComments, "sk-comments", 0, "@"},
{ oCompletesNeeded, "completes-needed", 1, "@"}, { oCompletesNeeded, "completes-needed", 1, "@"},
{ oMarginalsNeeded, "marginals-needed", 1, "@"}, { oMarginalsNeeded, "marginals-needed", 1, "@"},
{ oMaxCertDepth, "max-cert-depth", 1, "@" }, { oMaxCertDepth, "max-cert-depth", 1, "@" },
@ -1045,7 +1048,8 @@ main( int argc, char **argv )
case oNoVerbose: g10_opt_verbose = 0; case oNoVerbose: g10_opt_verbose = 0;
opt.verbose = 0; opt.list_sigs=0; break; opt.verbose = 0; opt.list_sigs=0; break;
case oQuickRandom: quick_random_gen(1); break; case oQuickRandom: quick_random_gen(1); break;
case oNoComment: opt.no_comment=1; break; case oSKComments: opt.sk_comments=1; break;
case oNoSKComments: opt.sk_comments=0; break;
case oNoVersion: opt.no_version=1; break; case oNoVersion: opt.no_version=1; break;
case oEmitVersion: opt.no_version=0; break; case oEmitVersion: opt.no_version=0; break;
case oCompletesNeeded: opt.completes_needed = pargs.r.ret_int; break; case oCompletesNeeded: opt.completes_needed = pargs.r.ret_int; break;
@ -1089,7 +1093,7 @@ main( int argc, char **argv )
opt.rfc1991 = 1; opt.rfc1991 = 1;
opt.rfc2440 = 0; opt.rfc2440 = 0;
opt.force_v4_certs = 0; opt.force_v4_certs = 0;
opt.no_comment = 1; opt.sk_comments = 0;
opt.escape_from = 1; opt.escape_from = 1;
break; break;
case oOpenPGP: case oOpenPGP:
@ -1447,7 +1451,7 @@ main( int argc, char **argv )
opt.force_mdc = 0; opt.force_mdc = 0;
opt.disable_mdc = 1; opt.disable_mdc = 1;
opt.force_v4_certs = 0; opt.force_v4_certs = 0;
opt.no_comment = 1; opt.sk_comments = 0;
opt.escape_from = 1; opt.escape_from = 1;
opt.force_v3_sigs = 1; opt.force_v3_sigs = 1;
opt.pgp2_workarounds = 1; opt.pgp2_workarounds = 1;
@ -1463,7 +1467,7 @@ main( int argc, char **argv )
{ {
opt.force_mdc=0; opt.force_mdc=0;
opt.disable_mdc=1; opt.disable_mdc=1;
opt.no_comment=1; opt.sk_comments=0;
opt.escape_from=1; opt.escape_from=1;
opt.force_v3_sigs=1; opt.force_v3_sigs=1;
opt.ask_sig_expire=0; opt.ask_sig_expire=0;

2
g10/options.h
View File

@ -69,7 +69,7 @@ struct {
char *def_recipient; char *def_recipient;
int def_recipient_self; int def_recipient_self;
int def_cert_check_level; int def_cert_check_level;
int no_comment; int sk_comments;
int no_version; int no_version;
int marginals_needed; int marginals_needed;
int completes_needed; int completes_needed;

2
g10/parse-packet.c
View File

@ -1561,7 +1561,7 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen,
if( list_mode ) { if( list_mode ) {
printf(", algo: %d,%s hash: %d", printf(", algo: %d,%s hash: %d",
sk->protect.algo, sk->protect.algo,
sk->protect.sha1chk? "" sk->protect.sha1chk?" SHA1 protection,"
:" simple checksum,", :" simple checksum,",
sk->protect.s2k.hash_algo ); sk->protect.s2k.hash_algo );
if( sk->protect.s2k.mode == 1 if( sk->protect.s2k.mode == 1